I'm using an existing Splunk instance that already has hundreds of sources and source types. How can I search among the source names and source type names to find sources of interest? For example, I would like to know the names of all sources that contain the string "prod" in the source name itself.
That's easy, just search
| metadata type=sources | where match(source,"prod")
or
| metadata type=sourcetypes | where match(sourcetype,"prod")
to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use
source="*prod*"
or
sourcetype="*prod*"
HTH
That's easy, just search
| metadata type=sources | where match(source,"prod")
or
| metadata type=sourcetypes | where match(sourcetype,"prod")
to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use
source="*prod*"
or
sourcetype="*prod*"
HTH
Thanks for the catch on the typo, I fixed it!
Wow, that works like magic, thanks!!
One tiny typo in the second one:
match(sourcetypes,"prod")
should be
match(sourcetype,"prod")
Thanks again!
Updated my answer per your comments!
Sorry, I must not have explained myself well. Your suggestion will search the actual event data. I don't want to search the data. I only want to get a back a list of source names that match. I want to search this list of source names themselves, not the data in the sources.